Deeplinks

An article in the Guardian yesterday reported that the Pakistani intelligence agency ISI is using sophisticated technology from the U.S. as part of a campaign of kidnapping, torture, and even murder. At first, the target appeared to be radical Islamic groups (which is ironic, because the ISI was a key player in the ascendency of the Taliban in the first place), but soon enough the victims included people who were completely innocent, or guilty only of political opposition to the Pakistani regime. In the middle of this report is a description of how these agencies are using a lot of surveillance technologies that were given to them by the United States, in aid of this campaign:

[I]n late 2001, as al-Qaida fugitives fled from Afghanistan into Pakistan, Musharraf ordered that the agencies show full cooperation to the FBI, CIA and other US security agencies. In return, the Americans would give them equipment, expertise and money.

Suddenly, Pakistan's agencies had sophisticated devices to trace mobile phones, bug houses and telephone calls, and monitor large volumes of email traffic. "Whatever it took to improve the Pakistanis' technical ability to find al-Qaida fighters, we were there to help them," says Michael Scheuer, a former head of the CIA's Osama bin Laden unit. An official with an American organisation says he once received a startling demonstration of the ISI's new capabilities. Driving down a street inside a van with ISI operatives, he could monitor phone conversations taking place in every house they passed. "It was very impressive, and really quite spooky," he says.

The use of U.S. spy technology to help facilitate human rights abuses abroad probably shouldn't come as a surprise. The dangerous "mission creep" of surveillance technologies from anti-terrorist uses to uses against political opponents and ordinary people within the U.S. is well documented, and now it seems we are spreading this problem internationally. It's a good reminder, though, to people who build these tools, or inherently insecure telecommunications systems that make surveillance easy. As Bruce Schneier has said: "it is poor civic hygiene to install technologies that could someday facilitate a police state." And that's true wherever the technology is being deployed.

A few weeks back, we wrote about how domain name registrar GoDaddy took offline Seclists.org based merely on an informal request and without providing any meaningful notice to the site's operator. Unfortunately, this isn't the only instance in which GoDaddy has carelessly ignored its users' rights.

In February, EFF was contacted by an anonymous owner of a parody and criticism website forum that allegedly exposes the financial corruption and domestic scandal of a local politician in Birmingham, Alabama. As part of a civil case in family court, an attorney representing the politician's girlfriend issued a subpoena to GoDaddy seeking the identity of the website owner, who was not a party to the lawsuit.

With the website owner's right to anonymous speech on the line, what did GoDaddy do? It caved without any apparent hesitation, providing its customer with a mere three days to find a lawyer and decide whether to file a challenge. GoDaddy also refused to provide a copy of the subpoena, which included essential information to determine whether and how to respond.

GoDaddy promises in its privacy policy to turn over customers' information only if required by law, but its lawyers didn't give this subpoena even a shred of scrutiny. Had they done so, they could have seen it was clearly invalid -- GoDaddy is located in Arizona and Alabama state law doesn't permit a subpoena to be issued on someone out of state. That was the ultimate conclusion of the state judge who eventually quashed the subpoena, no thanks to GoDaddy.

Even putting aside this aspect of GoDaddy's casual disregard for its customer's interests, the company's behavior is shameful. The First Amendment limits the ability of litigants to pierce a speaker's anonymity, particularly when that person isn't even being sued. GoDaddy owes its customers meaningful notice, time, and information so that they can fight back and protect their rights.

With the help of lawyer Lewis Page, the anonymous website operator did manage to move to quash before it was too late. But GoDaddy's sloppy practices still put an unfair burden on this user and continue to threaten all of its customers' rights.

For what online service providers ought to do to protect their users, check out our best practice guide.

Line Noise, EFF's occasional podcast, is back with a new edition for Sunshine Week. David Sobel, EFF Senior Attorney and director of our FLAG project, talks about uncovering the secrets behind National Security Letters, government datamining, and exactly how big the FBI's file on the CIA is.

You can also
href="http://phobos.apple.com/WebObjects/MZStore.woa/wa/com.apple.jingle.app.store.DirectAction/viewPodcast?id=157893980"
title="Subscribe to the Line Noise podcast in iTunes">subscribe to Line Noise on iTunes.

If you don't have podcast software installed, there are
href="http://www.podcastingnews.com/topics/Podcast_Software.html">many to
choose from, including
href="http://juicereceiver.sourceforge.net/">Juice, a multi-platform,

The House of Representatives has passed a bill that will make much-needed updates to the Freedom of Information Act (FOIA), and strengthen the public's right to get records from the federal government. H.R. 1309, the Freedom of Information Act Amendments of 2007, was approved yesterday by a considerable 308-117 margin. But the White House lashed out against the legislation, calling FOIA improvements "premature and counterproductive" in light of an 2005 presidential order requiring agencies to streamline their FOIA processes.

Just this week the National Security Archive released a report showing how necessary FOIA improvements are. The non-profit research group found that most federal agencies have failed to improve online access to public information in spite of a decade-old FOIA change requiring that they do so.

In related news, a bipartisan bill similar to H.R. 1309 was introduced earlier this week in the Senate. Like the House bill, S. 849, the Openness Promotes Effectiveness in our National Government Act of 2007, will improve the public's right to access government information through the FOIA and penalize agencies that don't comply with the law.

Not content with wasting universities' resources via their usual tactics--i.e., flooding them with machine-generated complaints about file sharing--the major record labels are now demanding that universities help them shake down students.

The RIAA has asked universities and colleges to forward "pre-lawsuit" letters to alleged filesharers that promise a "discounted" settlement price if the student agrees to pay up immediately. Forwarding the letters saves the RIAA the trouble and expense of filing a lawsuit to obtain students' contact information--a savings that may be redirected to more lawsuits.

To add insult to injury, the letters advise students to contact the RIAA if they have any questions. It's safe to say that the RIAA is unlikely to give students the full picture. For example, will the RIAA tell students that parents are generally not liable for infringements committed by their kids, or that the record labels sometimes sue the wrong people? Probably not.

We think students should seek out less biased sources of information--and their institutions should assist in that process. Toward that end, we've put together a short FAQ to help students learn more about their options; we hope colleges and universities that forward the RIAA's threat letter will take the additional step of directing students to this FAQ as well as other neutral information sources.

Of course, the RIAA should not be putting universities in this perverse position in the first place. If you'd like to help academic institutions get back to their real mission--educating students, not helping to threaten them--Take action now to help stop the lawsuit campaign.

UPDATE: The University of Wisconsin is refusing to forward the pre-litigation letters to its students. Says Brian Rust of UW's IT department: "These settlement letters are an attempt to short circuit the legal process to rely on universities to be their legal agent." We couldn't have said it better ourselves. On Wisconsin! Update to the Update: The University of Maine has decided to folllow suit. UM spokeperson John Diamond: "It's not the university's role to, in effect, serve papers on our students for another party." Go Black Bears!

UPDATE: The University of Nebraska has found a unique way of resisting the RIAA's newest shakedown. Not only will it not pass on most of the letters, the institution is demanding reimbursement for the cost of processing the complaints. Equally notable is the institution's reason for not passing on most of the letters: it can't, because it only retains IP address logs for a month.

Last week, the Department of Justice Inspector General's office released a damning report documenting the FBI abusing its powers under the PATRIOT Act and violating the law to collect Americans' telephone, Internet, financial, credit, and other personal records about Americans without judicial approval.

It appears that not everyone at the DOJ got the memo. The DOJ's Life and Liberty website, a site dedicated to defending the honor of the PATRIOT Act during the re-authorization process last spring, still reads as if nothing has changed. Particularly in the light of the newly revealed truth, many of the quotes now seem (at best) naive.

Under the headline of "Examining the Facts", the DOJ asserts that PATRIOT has "four-year track record with no verified civil liberties abuses." The site quotes an op-ed by former House Judiciary Committee Chairman James Sensenbrenner:

Zero. That's the number of substantiated USA PATRIOT Act civil liberties violations. Extensive congressional oversight found no violations. Six reports by the Justice Department's independent Inspector General, who is required to solicit and investigate any allegations of abuse, found no violations.

Wow, that sure sounds good. Unfortunately, the new report reveals that is is simply not true: the inspector general identifies dozens of instances in which extra-judicial demands for personal information -- known as National Security Letters -- may have violated laws and agency regulations.

In the Archive section, the site includes quotes from an op-ed by Senator Pat Roberts responding to critics like ourselves:

I regret to say it, but the rhetoric of those opposed to permanently authorizing the act has no substance and borders on paranoia. Opponents have criticized the act for years but can cite only hypothetical abuses. Facts are stubborn things. The actual record is quite clear - there have been no substantiated allegations of abuse of Patriot Act authorities, period.

Critics could only point to hypothetical abuses because the fox was guarding the hen house. Senator Roberts also opined that:

Through aggressive congressional oversight, we know the FBI uses Patriot Act authorities within the law.

It's now clearer than ever that the oversight was not aggressive enough, with the report documenting that the FBI decieved Congress about its use of the letters. The report is likely only the tip of the iceberg. Immediate and thorough oversight hearings are necessary to uncover the truth and hold the Administration accountable.

After years of criticism from EFF and other privacy advocates, Google announcedyesterdayanew policy on how it handles logs of its users' searches: after 18-24 months, it will delete key information in its server logs that could be used to link particular users to records of their search queries.

This is a big change from Google's previous policy, which was essentially to keep all of those logs forever in identifiable form, and we're certainly glad to see that Google is starting to limit its retention of such sensitive data. Your Google search history can paint an intimate portrait of your most private interests and concerns. Particularly in light of the disastrous AOL search terms disclosure, recentscandals involving government surveillance, and Google's own recent court fight with the government over a subpoena for search records, it seems that Google has finally realized that limiting the retention of such records is essential to protecting your privacy.

Hopefully, Google's change in policy will spur other online service providers to consider how they can minimize the amount of personal data that they store, and perhaps even prompt competition between service providers to offer the most privacy-protective services. However, we hope that this new announcement is only Google's first step in changing its privacy practices, because additional changes would better protect user privacy and set an even better example for the industry:

Google should shorten the retention period for identifiable logs to six months at the outside, and ideally to only thirty days (which is AOL's retention limit for similar logs). Barring this, it should at least justify why it needs such records for up to two years, beyond offering one-sentence platitudes about how such records are used to improve Google's service.

Google should also shorten the retention of the "anonymized" logs, which Google apparently still intends to keep forever. As Google itself admits, the new policy changes still don't guarantee users' anonymity, and holding onto those records indefinitely still poses a serious private threat.

Therefore, Google should consider more robust anonymization techniques, up to and including scrubbing entire IP addresses rather than just the last quarter or "octet" of such addresses.

Finally, Google should expand its new anonymization policy to include the search records of users with Google Account log-ins, and to records generated by their myriad other services, rather than limiting the policy change to regular search logs.

Beyond making these additional policy changes, there's one more thing that Google should be doing—something we think it actually has a duty to do as a good corporate citizen and as a preeminent Internet powerhouse—and that is using its considerable political clout to fight for better Internet privacy laws on Capitol Hill. Right now, there are significant questions as to whether or how Internet search logs are protected by existing federal privacy laws, and Google owes it to its customers to publicly advocate for updating those privacy laws for the 21st century.

Online music radio stations may soon be in deep trouble due to a ruling by the Copyright Royalty Board. The ruling [PDF] means that the rates that most webcasters pay to license sound recordings will more than double over the next several years.

Most nonsubscription, noninteractive webcasters pay a royalty rate set by the government in order to license sound recordings (typically from record labels). This statutory license was setup by Congress in 1995 to ensure that online radio would not be left to the impossible task of clearing every song one at a time with each rights holder (traditional terrestrial radio broadcasters pay nothing for using sound recordings, but pay songwriters through three collecting societies: ASCAP, BMI, and SESAC).

Small and nonprofit webcasters have argued that the new rates are essentially unaffordable for them, potentially forcing them to give up webcasting altogether. Pandora, NPR, and the Corporation for Public Broadcasting are already planning legal challenges.

Webcasters and fans all over the Net have been in an uproar about this ruling, and there are plenty of great places for you to learn more and take action. Doc Searls has published an excellent round-up here, the Radio and Internet Newsletter (RAIN) explains the rate's implications here, and the Broadcast Law Blog provides some insight on how the rate was reached.